Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AC22 Credential Aging review #239

Open
noloader opened this issue Apr 1, 2024 · 5 comments
Open

AC22 Credential Aging review #239

noloader opened this issue Apr 1, 2024 · 5 comments

Comments

@noloader
Copy link

noloader commented Apr 1, 2024

Hi Everyone,

Threatlib has an item for AC22 Credential Aging:

{
    "SID": "AC22",
    "target": [
      "Dataflow"
    ],
    "description": "Credentials Aging",
    "details": "If no mechanism is in place for managing credentials (passwords and certificates) aging, users will have no incentive to update passwords or rotate certificates in a timely manner. Allowing password aging to occur unchecked or long certificate expiration dates can result in the possibility of diminished password integrity.",
    "Likelihood Of Attack": "Medium",
    "severity": "High",
    "prerequisites": "",
    "condition": "any(d.isCredentials for d in target.data) and target.sink.inScope and any(d.credentialsLife in (Lifetime.UNKNOWN, Lifetime.LONG, Lifetime.MANUAL, Lifetime.HARDCODED) for d in target.data)",
    "mitigations": "All passwords and other credentials should have a relatively short expiration date with a possibility to be revoked immediately under special circumstances.",
    "example": "",
    "references": "https://cwe.mitre.org/data/definitions/262.html, https://cwe.mitre.org/data/definitions/263.html, https://cwe.mitre.org/data/definitions/798.html"
  }

We have learned that continuity is a better security property than rotation. Unexpected changes, like gratuitously changing public keys changing, is bad for security because it breaks pinning controls. And requiring users to rotate their password results in users choosing weaker and weaker passwords over time just to comply with a policy based on reading tea leaves.

The details and mitigation detailed in threatlib are completely wrong nowadays. They run counter to what we have learned from real world incidents and security usability studies. Nowadays we want public keys and passwords written in stone, and only changed if there is suspicion or proof of breach or misuse.

I think AC22 should be either removed from the model or limited in scope.
@izar
Copy link
Collaborator

izar commented Apr 2, 2024

Agreed. But being prepared for key rotation, on the other side, is an important requirement IMHO.
Would you like to submit a PR with better details and mitigation?

@raphaelahrens
Copy link
Contributor

What is the policy for changing an SID? Should this get a new SID or can this just be rewritten?

Further I would suggest to extract the Lifetime.HARDCODED condition and make this a new threat, since this is a design failure, which can not be fixed.

Here a first draft to change AC22:

Credential disclosure

If credentials (passwords and certificates) have a long lifetime their disclosure can have severe consequences, if the credentials cannot quickly be revoked and/or rotated.

Mitigations

All credentials need a possibility to be revoked immediately and the credentials have to have high enough entropy and length to be future proof.
To detect disclosure of the credentials their use should to be monitored for suspicions activity.

References

  • NIST SP 800-63-3

@raphaelahrens
Copy link
Contributor

@izar should I write a PR?

@izar
Copy link
Collaborator

izar commented Apr 18, 2024

sure thing!

raphaelahrens added a commit to raphaelahrens/pytm that referenced this issue Apr 20, 2024
@raphaelahrens
Replaced AC22 with AC23 and AC24
967f60c 
As mentioned in OWASP#239 AC22 Credential Aging review the threat AC22
Credential Aging was not helpful.

This commit replaces AC22 with two new threats AC23 Credential
Disclosure and AC24 Hardcoded Credentials.

AC23 checks if the lifetime of the credentials is LONG, MANAUL, or
UNKNOWN.
Currently there is no way to resolve this threat by changing the model,
besides setting the a different lifetime.

AC24 warns against the use of hardcoded credentials.
@raphaelahrens raphaelahrens mentioned this issue Apr 20, 2024
Merged
raphaelahrens added a commit to raphaelahrens/pytm that referenced this issue Apr 20, 2024
@raphaelahrens
Replaced AC22 with AC23 and AC24
360c222 
As mentioned in OWASP#239 AC22 Credential Aging review the threat AC22
Credential Aging was not helpful.

This commit replaces AC22 with two new threats AC23 Credential
Disclosure and AC24 Hardcoded Credentials.

AC23 checks if the lifetime of the credentials is LONG, MANAUL, or
UNKNOWN.
Currently there is no way to resolve this threat by changing the model,
besides setting the a different lifetime.

AC24 warns against the use of hardcoded credentials.
@raphaelahrens
Copy link
Contributor

@noloader could you also look over my PR and give your opinion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@izar @noloader @raphaelahrens